b'     Office of Inspector General\n     Audit Report\n\n\n\n\nGOVERNMENT INFORMATION\n  SECURITY REFORM ACT\n\n      STATUS OF EPA\xe2\x80\x99S\n COMPUTER SECURITY PROGRAM\n\n      Report Number: 2001-P-00016\n           September 7, 2001\n\x0cInspector General Division                    Information Technology Audits Staff\n Conducting the Audit                         Washington, D.C.\nRegions covered                               Agency-wide\nProgram Offices Involved                      Office of Environmental Information:\n                                                Technical Information Security Staff\n                                                Headquarters and Desktop Services Division\n                                                National Technology Services Division\n\nAbbreviations\n CPIC             Capital Planning and Investment Control\n EPA              Environmental Protection Agency\n GAO              General Accounting Office\n GISRA            Government Information Security Reform Act\n GPRA             Government Performance and Results Act\n IRCC             Incident Response Coordinating Center\n IT               Information Technology\n LAN              Local Area Network\n NIST             National Institute of Standards and Technology\n OA               Office of the Administrator\n OAR              Office of Air and Radiation\n OARM             Office of Administration and Resources Management\n OCFO             Office of the Chief Financial Officer\n OECA             Office of Enforcement and Compliance Assurance\n OEI              Office of Environmental Information\n OGC              Office of General Counsel\n OIA              Office of International Activities\n OIG              Office of the Inspector General\n OMB              Office of Management and Budget\n OPPTS            Office of Prevention, Pesticides, and Toxic Substances\n ORD              Office of Research and Development\n OSWER            Office of Solid Waste and Emergency Response\n OW               Office of Water\n QA               Quality Assurance\n\x0cMEMORANDUM\nTO:            Christine Todd Whitman, Administrator\n\n\nSUBJECT:       GISRA: Status of EPA\xe2\x80\x99s Computer Security Program\n               Audit Report No. 2001-P-00016\n\n\n        Attached is our final report entitled \xe2\x80\x9cGISRA: Status of EPA\xe2\x80\x99s Computer Security Program.\xe2\x80\x9d\nWe conducted this audit pursuant to the Fiscal 2001 Defense Authorization Act (Public Law 106-\n398), including Title X, subtitle G, \xe2\x80\x9cGovernment Information Security Reform Act\xe2\x80\x9d (GISRA or the\nAct), which the President signed into law on October 30, 2000. The Act requires that Inspectors\nGeneral provide an independent evaluation of the information security program and practices of the\nagency. In this initial year, the primary audit objectives were to assess the status of the Agency-wide\ninformation technology security program relative to existing policy; determine whether the program is\nat an acceptable level of effectiveness and improving; and ascertain to what extent the Agency has\ntaken corrective action on significant recommendations from the General Accounting Office\xe2\x80\x99s report\non EPA Information Security.\n\n       In accordance with the instructions contained in the Office of Management and Budget\n(OMB) Memorandum 01-24, I am forwarding this report to you for submission, along with the\nAgency\xe2\x80\x99s required information, to the Director, OMB, in conjunction with the Agency\xe2\x80\x99s fiscal 2003\nbudget materials.\n\n      Should your staff have any questions, please have them contact Pat Hill, Director, Information\nTechnology Audits Staff, at (202) 260-3615, or Ed Shields, Team Leader, at (202) 260-3656.\n\n\n\n\n                                                     Nikki L. Tinsley\n\n\n\n\ncc:    M. Schneider, Acting Assistant Administrator and Chief Information Officer\n\x0c\x0c  GOVERNMENT INFORMATION SECURITY REFORM ACT:\n   STATUS OF EPA\xe2\x80\x99S COMPUTER SECURITY PROGRAM\n                                      Report No. 2001-P-00016\n\n\n                                EXECUTIVE SUMMARY\n\nDespite the Environmental Protection Agency\xe2\x80\x99s (EPA) efforts to improve its security program, we\nfound several key aspects of security that still require management\xe2\x80\x99s attention. These areas include:\nperformance measures; risk management; incident handling; capital planning and investment;\nenterprise architecture; infrastructure protection; technical controls; and security program oversight.\nIn our opinion, the Agency\xe2\x80\x99s past and present security weaknesses stem from the fact that\nmanagement has not introduced comprehensive oversight processes to thoroughly assess security\nrisks, plan for the protection of information resources, and verify that best security practices are\nimplemented to ensure the integrity, confidentiality, and availability of environmental data. Given the\nAgency\xe2\x80\x99s decentralized organizational structure, it is essential that EPA establish a strong leadership\nand monitoring role to ensure the success of its computer security program.\n\nThe Office of Management and Budget (OMB) issued specific Government Information Security\nReform Act (GISRA or the Act) reporting instructions to ensure agencies could provide results in a\nconsistent form and format. Therefore, each of the numbered topics shown below relate to a specific\nagency responsibility outlined in the Act or OMB Circular A-11, \xe2\x80\x9cPlanning, Budgeting, and\nAcquisition of Capital Assets.\xe2\x80\x9d\n\nTopic 1:       Identify the agency\xe2\x80\x99s total security funding as found in the agency\xe2\x80\x99s fiscal 2001\n               budget request. fiscal 2001 budget enacted, and the fiscal 2002 budget request.\n               This should include a breakdown of security costs by each major operating division\n               and include critical infrastructure protections costs that apply to the protection of\n               government operations and assets.\n\nInspectors General are not expected to respond to this topic.\n\nTopic 2:       Identify the total number of programs included in the program reviews or\n               independent evaluations.\n\nFor the purposes of this independent evaluation, we reviewed the following computer security\nprogram components: risk management; tracking of computer security training; incident handling\ncapability; capital planning and investment; and enterprise architecture. In addition, in recent years,\nwe conducted numerous audits that resulted in findings for many components and aspects of EPA\xe2\x80\x99s\nsecurity policies and practices. These findings also contributed to our overall conclusion regarding\nEPA\xe2\x80\x99s entity-wide computer security program.\n\x0cTopic 3:       Describe the methodology used in the program reviews or independent evaluations.\n\nThe primary focus of this audit was to evaluate Agency policies for components of its computer\nsecurity program and determine how effectively the Agency was monitoring implementation of these\npolicies. To accomplish the audit objectives, we examined a variety of Federal and EPA documents.\nWe also relied on the results of prior audits, as well as preliminary results from an ongoing audit.\n\nWe used the General Accounting Offices\xe2\x80\x99s (GAO) July 2000 audit report, entitled \xe2\x80\x9cFundamental\nWeaknesses Place EPA Data and Operations at Risk,\xe2\x80\x9d as a key component of our audit methodology.\nUsing the results of GAO\xe2\x80\x99s systems tests, we judgmentally selected a sample of 26 GAO technical\nrecommendations to determine how effectively management had implemented corrective actions.\n\nTopic 4:       Report any material weakness in policies, procedures, or practices as identified and\n               required to be reported under existing law.\n\nWe identified the following significant weaknesses: partially developed performance measures;\ninadequate risk assessment policy; weak incident handling program; inadequate capital planning and\ninvestment oversight; incomplete enterprise architecture; undefined infrastructure protection\nmethodology; and under-developed security program oversight.\n\nTopic 5:       The specific measures of performance used by the agency to ensure that agency\n               program officials have: 1) assessed the risk to operations and assets under their\n               control; 2) determined the level of security appropriate to protect such operations\n               and assets; 3) maintained an up-to-date security plan (that is practiced throughout\n               the life cycle) for each system supporting the operations and assets under their\n               control; and 4) tested and evaluated security controls and techniques. Include\n               information on the actual performance for each of the four categories.\n\nAt the close of our field work, the performance measures addressing risk, the adequacy and testing of\noperational controls, and security plans were still being developed. As such, we were unable to\nanalyze the appropriateness or sufficiency of EPA\xe2\x80\x99s measures. The Agency plans to finalize the\nperformance measures before reporting to OMB, and we will evaluate the measures during the next\nGISRA reporting cycle.\n\nTopic 6:       The specific measures of performance used by the agency to ensure that the agency\n               Chief Information Officer: 1) adequately maintains an agency-wide security\n               program; 2) ensures the effective implementation of the program and evaluates the\n               performance of major agency components; and 3) ensures the training of agency\n               employees with significant security responsibilities. Include information on the\n               actual performance for each of the three categories.\n\n\n\n                                                  ii\n\x0cPrior to GISRA, the Agency had not established specific measures to address security program\nperformance. These performance measures were still being developed at the end of our field work\nand, therefore, not available for our review. The Agency plans to finalize the performance measures\nbefore submitting its GISRA report to OMB. Accordingly, we plan to review the reasonableness of\nthese measures, as well as the accuracy of baseline measurement data, during the next GISRA\nreporting cycle.\n\nTopic 7:       How the agency ensures that employees are sufficiently trained in their security\n               responsibilities. Identify the total number of agency employees and briefly describe\n               what types of security training were available during the reporting period, the\n               number of agency employees that received each type of training, and the total costs\n               of providing such training.\n\nThe Office of Environmental Information (OEI) has delegated the responsibility of ensuring\nemployees are sufficiently trained in their security responsibilities to the various regions and program\noffices. Our audit did not include assessing the effectiveness of this effort.\n\nAs a response to Office of Management and Budget (OMB) Memorandum 01-24, EPA solicited data\non the types of security training, the number of agency employees receiving each type of training, and\nthe total costs of such training from its 23 regional and program offices. According to the data\nsubmitted by the regions and program offices, from February 2000 to June 2001, the Agency spent\n$780,426 to train its employees in various security-related courses (see Appendix II.) However, as of\nthe writing of this report, OEI was still collecting missing and incomplete training data; as such, the\nnumbers shown in Appendix II may not agree with the Agency\xe2\x80\x99s final totals. In addition, OEI has not\nverified the accuracy of collected data. Without such verification, the reliability of these numbers is\nuncertain\n\nTopic 8:       The agency\xe2\x80\x99s documented procedures for reporting security incidents and sharing\n               information regarding common vulnerabilities. Include a description of\n               procedures for external reporting to law enforcement authorities and to the\n               General Services Administration\xe2\x80\x99s FedCIRC (Federal Computer Incidents\n               Response Capability). Include information on the actual performance and the\n               number of incidents reported.\n\nThe Agency\xe2\x80\x99s official procedures for reporting security incidents and sharing information regarding\nvulnerabilities needs improvement. EPA solicited data on the number and type of incidents reported\nfrom its 23 regional and program offices (see Appendix III). EPA currently lacks an agency-wide\nprogram to ensure incidents are handled in a thorough, consistent and timely manner throughout\nregional and program offices. In light of this weaknesses, we question the Agency\xe2\x80\x99s ability to\naccurately determine whether all security incidents are identified, contained, eradicated, recovered,\nfollowed-up on, or reported to FedCIRC in a timely fashion. However, efforts are underway to\ncreate a comprehensive, consistent Agency-wide incident handling program. EPA management has\n\n                                                   iii\n\x0ctentatively decided to implement a distributed business model to communicate and coordinate incident\nhandling activities across the agency. At this point, management has neither developed an\nimplementation schedule nor committed significant resources to achieve the goal.\n\nTopic 9:       How the agency integrates security into its capital planning and investment control\n               process. Were security requirements and costs reported on every fiscal 2002 capital\n               asset plan (as well as exhibit 53) submitted by the agency to OMB?\n\nEPA has not consistently integrated security into its Capital Planning and Investment Control (CPIC)\nprocess. Although EPA has begun to integrate security into its CPIC process, more work is needed.\nWe reviewed 47 major Information Technology (IT) capital investment project proposals, as reported\nto OMB (via Exhibit 300B of the Agency\xe2\x80\x99s A-11 budget submission) in December 2000, and found\nthat almost half of these projects were submitted to OMB without approved security plans.\n\nAlthough the Agency includes cost data for IT capital investment project proposals reported to OMB,\nwe question the accuracy of reported costs. EPA does not have a cost accounting system that would\nenable managers to track IT project costs; therefore, it may be difficult for EPA to substantiate the IT\nproject costs reported via Exhibit 53 of the Agency\xe2\x80\x99s A-11 budget submission to OMB. We are\ncurrently evaluating the reliability of reported IT project costs in an on-going audit.\n\nTopic 10:      The specific methodology used by the agency to identify, prioritize, and protect\n               critical assets within its enterprise architecture, including links with key external\n               systems. Describe how the methodology has been implemented.\n\nAt this point, management has not identified, prioritized, or otherwise specified a methodology for\nprotecting critical assets under its enterprise architecture plan. EPA\xe2\x80\x99s Enterprise Architecture plan,\ndated March 29, 2001, does not define a security architecture. Whereas the Agency recognizes the\nimportance of security, the plan defers completion of that component to some future time. This\nsummer, the Agency stated its intent to form workgroups to address specific aspects of the\narchitecture, and to clearly define roles and responsibilities. We expect it will take significant\nresources and time for EPA to complete the Enterprise Architecture, including the security\narchitecture component.\n\nTopic 11:      The measures of performance used by the head of the agency to ensure that the\n               agency\xe2\x80\x99s information security plan is practiced throughout the life cycle of each\n               agency system. Include information on the actual performance.\n\nAt the close of our field work, the Agency was still in the process of developing performance\nmeasures to ensure the Agency\xe2\x80\x99s information security plan is practiced throughout the life cycle of\neach agency system. The Agency plans to finalize the performance measures before submitting its\nGISRA report to OMB. As such, we will audit the measures in the next GISRA reporting cycle. At\n\n\n                                                   iv\n\x0cthis point, OEI management does not periodically validate whether regional and program offices\nactually implement Agency policy requirements by considering, planning for, and documenting\nsecurity requirements throughout a system\xe2\x80\x99s life cycle.\n\nTopic 12:      How the agency has integrated its information and information technology security\n               program with its critical infrastructure protection responsibilities, and other\n               security programs (e.g., physical and operational).\n\nEPA needs to better integrate its information and IT security program with its critical infrastructure\nprotection responsibilities. The Agency categorizes its critical assets as physical, emergency\nresponse, telephony, and information technology. However, management was unable to provide or\ndescribe the methodology used to identify, prioritize, and protect its critical assets. Without a sound\nmethodology, EPA may not be properly applying its limited security resources to information assets\nconsistent with their level of importance to the Agency\xe2\x80\x99s mission. Furthermore, our audit disclosed\nthat major IT infrastructure projects did not have required security plans.\n\nTopic 13:      The specific methods (e.g., audits or inspections) used by the agency to ensure that\n               contractor-provided services or services provided by another agency are adequately\n               secure and meet the requirements of the Security Act, OMB policy and National\n               Institute of Standards and Technology (NIST) guidance, national security policy,\n               and agency policy.\n\nNo quality assurance (QA) process exists across the agency to ensure contractor-provided services\nare adequately secure and meet the requirements of the Act. OEI management is beginning to\naddress its oversight responsibilities, but management will need to dedicate additional resources to\nfully develop and implement QA processes throughout the Agency. The absence of this vital function\nwas, we believe, a key contributing cause to the security program weaknesses mentioned in this\nreport. For several years, in conjunction with the Integrity Act, the Office of Inspector General\n(OIG) has formally advised EPA to establish a centralized security program with strong oversight\nprocesses that would adequately address risks and ensure valuable information resources and\nenvironmental data are secure.\n\nIn fiscal 2000, management agreed to include an Integrity Act action item that partially addressed its\noversight responsibilities (i.e., a commitment to conduct random, formal program office security plan\nreviews of mission-critical systems). After an initial round of reviews, management is revising its QA\napproach to achieve more reliable and comparable results. During the last year, management initiated\nother activities to verify the integrity of its system networks; however, many aspects of the security\nprogram are still left to the discretion of individual program and regional offices without benefit of\nany formalized oversight processes. In an agency as decentralized as EPA, it is imperative that\nmanagement build a coordinated, comprehensive monitoring program to ensure the effectiveness of\nits entity-wide computer security program and practices.\n\n\n                                                   v\n\x0c\x0c                                                       Table of Contents\n                                                                                                                                              Page\n\nExecutive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i\n\nPurpose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nBackground . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1\n\nScope and Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2\n\nPrior Audit Coverage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3\n\nOngoing Audit Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n\nCriteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n\nSecurity Program Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4\n\n           Performance Measures Not Fully Developed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                         5\n           Risk Assessment Guideline Missing Significant Elements . . . . . . . . . . . . . . . . . . . . . . . . .                             5\n           Security Awareness Training Tracked But Not Verified . . . . . . . . . . . . . . . . . . . . . . . . . .                             6\n           Incident Handling Program Needs Improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                          6\n           Capital Planning and Investment Control Needs Improvement . . . . . . . . . . . . . . . . . . . . .                                  7\n           Enterprise Architecture Does Not Define Security Architecture . . . . . . . . . . . . . . . . . . . .                                7\n           Need to Better Integrate IT Security With Infrastructure Protection . . . . . . . . . . . . . . . . .                                8\n           Agency Correcting Technical System Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .                            8\n           Oversight Role Needed To Verify Effectiveness Of Security Program . . . . . . . . . . . . . . .                                      9\n\nRecommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10\n\nAppendices\n      I.             Criteria and Guidance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .          12\n      II.            Security Training-Related Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .               14\n      III.           Information Security Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .             15\n      IV.            Distributed Business Model for Incident Response Coordinating Center . . . . . . .                                       16\n      V.             Report Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .        17\n\x0c\x0cGOVERNMENT INFORMATION SECURITY REFORM ACT:\n STATUS OF EPA\xe2\x80\x99S COMPUTER SECURITY PROGRAM\n                                   Report No. 2001-P-00016\n\nThe Environmental Protection Agency (EPA) a has made substantial progress toward ensuring\nthe security of its information assets; however, more work is needed. During a fiscal 2000 audit,\nthe General Accounting Office (GAO) performed significant tests of EPA\xe2\x80\x99s network and\noperating systems\xe2\x80\x99 security controls, and found many pervasive and serious security weaknesses.\nIn response to noted technical weaknesses, EPA temporarily disconnected its network from the\nInternet to accelerate installation of improved security features. Since then, the Agency has taken\nsteps to further separate EPA\xe2\x80\x99s Wide Area Network from the Internet; implement better\napproaches to monitor, detect, and deter Internet attacks and unauthorized users; conduct formal\nreviews of information security plans; update EPA\xe2\x80\x99s policies for protecting and handling sensitive\nbusiness information; and increase the Agency\xe2\x80\x99s efforts to create a more security-minded\nworkforce.\n\nDespite EPA\xe2\x80\x99s efforts to improve its security program, we found several key aspects of security\nthat still require management\xe2\x80\x99s attention. These areas include: performance measures; risk\nmanagement; incident handling; capital planning and investment; enterprise architecture;\ninfrastructure protection; technical controls; and security program oversight. In our opinion, the\nAgency\xe2\x80\x99s past and present security weaknesses stem from the fact that management has not\nintroduced comprehensive oversight processes to thoroughly assess security risks; plan for the\nprotection of information resources; and verify that best security practices are implemented to\nensure the integrity, confidentiality, and availability of environmental data. Given the Agency\xe2\x80\x99s\ndecentralized organizational structure, it is essential that EPA establish a strong leadership and\nmonitoring role to ensure the success of its computer security program.\n\nPURPOSE\n\nThe audit objectives were to assess the status of the Agency-wide information technology (IT)\nsecurity program relative to existing policy; determine whether the program is at an acceptable\nlevel of effectiveness and progressing upwards; and ascertain to what extent the Agency has taken\ncorrective action on significant recommendations contained in GAO\xe2\x80\x99s report on EPA Information\nSecurity (GAO/AIMD-00-215).\n\nBACKGROUND\n\nOn October 30, 2000, the President signed into law the Fiscal 2001 Defense Authorization Act\n(Public Law 106-398), including Title X, subtitle G, \xe2\x80\x9cGovernment Information Security Reform\nAct\xe2\x80\x9d (GISRA or the Act). The Act primarily addresses the program management and evaluation\naspects of information security. The Act became effective on November 29, 2000, and expires in\ntwo years. Sub-chapter II, section 3535, requires that Inspectors General provide an\nindependent evaluation of the information security program and practices of the agency. On\n\x0cJanuary 16, 2001, the Office of Management and Budget (OMB) issued guidance on\nimplementing GISRA, and subsequently issued finalized reporting instructions in Memorandum\n01-24 on June 22, 2001. These reporting instructions highlighted topics outlined in the Act and\nprovided a consistent form and format for agencies to use.\n\nUnder GISRA, Inspectors General, or independent evaluators they choose, are to perform an\nannual evaluation of the agency\xe2\x80\x99s security program and practices. The evaluations are to include\ntests related to the effectiveness of security controls for an appropriate subset of Agency systems.\n\nSCOPE AND METHODOLOGY\n\nThe primary focus of this audit was to evaluate Agency policies for components of its computer\nsecurity program and determine how effectively the Agency was monitoring implementation of\nthese policies. To accomplish the audit objectives, we examined a variety of Federal and EPA\ndocuments, including policies on risk management; incident handling capability; capital planning\nand investment; enterprise architecture; and system life cycle management. In addition, we relied\non the results of prior audits as well as preliminary results of ongoing audits.\n\nGAO\xe2\x80\x99s July 2000 audit report, entitled \xe2\x80\x9cFundamental Weaknesses Place EPA Data and\nOperations at Risk,\xe2\x80\x9d was a key component of our audit methodology. We used the results of\nGAO\xe2\x80\x99s systems tests as a basis for identifying serious, technical weaknesses. Rather than\nconducting new tests of controls, we judgmentally selected a sample of 26 GAO technical\nrecommendations to determine how effectively management had implemented corrective actions.\nThirteen recommendations related to Novell Local Area Network (LAN) weaknesses, while the\nother 13 involved mainframe computer operations.\n\nIn conjunction with OMB M-01-24, we attempted to obtain and audit relevant data. Whereas\nmanagement was able to provide some data on security risk assessments and security incidents,\nwe discovered that EPA did not formally coordinate, measure or track these statistics prior to the\nOMB request. During the audit cycle, the Agency began the process of developing performance\nmeasures and gathering baseline information. However, in many instances, the data was not\navailable in time for sufficient analysis and audit verification.\n\nThe Office of Inspector General conducted this audit in accordance with Government Auditing\nStandards (1999 revision) issued by the Comptroller General of the United States. We conducted\nour audit fieldwork from June 18, 2001 through July 20, 2001, at EPA Headquarters in\nWashington, D.C., as well as the Agency\xe2\x80\x99s National Computer Center in Research Triangle Park,\nNorth Carolina. In conjunction with our field work, we interviewed personnel within the Office\nof Environmental Information\xe2\x80\x99s Technical Information Security Staff, Headquarters and Desktop\nServices Division, and the National Technology Services Division.\n\n\n\n\n                                                 2\n\x0cPRIOR AUDIT COVERAGE\n\nDuring recent years, we have audited many components and aspects of EPA\xe2\x80\x99s security policies\nand practices. As a result of OIG report findings, EPA first declared Information Systems\nSecurity Planning as a material weakness in its fiscal 1997 Federal Managers\xe2\x80\x99 Financial Integrity\nAct Report (Integrity Act). In following years, management continued to work on security\nproblems and, in fiscal 1999, extended the material weakness to address GAO report findings and\nto assess the effectiveness of new Agency policies and procedures.\n\nThe following audit reports highlight some recent security findings:\n\n\xe2\x80\xa2      In March 2001, we issued Report No. 2001-P-00004, \xe2\x80\x9cEnvironmental Protection Agency\n       Payroll and Personnel Systems (EPAYS) Access Controls.\xe2\x80\x9d This audit found that EPA\n       did not adequately control access to EPAYS. Some users had EPAYS access when they\n       did not need it, and others were granted access authorities greater than needed.\n       Furthermore, some users continued to have access after they left the Agency or transferred\n       to different job functions. EPAYS is used to process all EPA payroll and personnel-\n       related data, and improperly managed access controls increase the potential for fraud,\n       waste, and abuse of such data. In addition, users were granted excessive access to\n       EPAYS data sets that contained sensitive information. Many of these users generally\n       needed access to some of the data sets but not all. Excessive access can result in EPA\n       employees\xe2\x80\x99 personnel information being vulnerable to misuse or abuse.\n\n\xe2\x80\xa2      In July 2000, GAO issued Report No. GAO/AIMD-00-215, \xe2\x80\x9cFundamental Weaknesses\n       Place EPA Data and Operations at Risk.\xe2\x80\x9d This audit found serious and pervasive\n       problems that essentially rendered EPA\xe2\x80\x99s agency-wide information security program\n       ineffective. GAO\xe2\x80\x99s tests of computer-based controls concluded that the computer\n       operating systems and the Agency-wide computer network that support most of EPA\xe2\x80\x99s\n       mission-related and financial operations were riddled with security weaknesses. Of\n       particular concern was that many of the most serious weaknesses identified had been\n       previously reported to EPA management by EPA\xe2\x80\x99s OIG in 1997.\n\n\xe2\x80\xa2      In June 2000, we issued Report No. 2000-1-00330, \xe2\x80\x9cRACF Security Controls.\xe2\x80\x9d This\n       audit found that EPA\xe2\x80\x99s Resource Access Control Facility settings did not adequately\n       protect system resources. Specifically, excessive authority was granted to users via the\n       resource classes. In addition, resource class settings did not optimize system security. As\n       a result, the potential misuse, manipulation, and/or destruction of EPA\xe2\x80\x99s information\n       resources was increased.\n\n\xe2\x80\xa2      In January 1999, we issued Report No. 9300001, \xe2\x80\x9cOperating System Software Controls.\xe2\x80\x9d\n       This audit found EPA\xe2\x80\x99s Enterprise Technology Services Division (ETSD) - currently\n       called the National Technology Services Division - was not maintaining and reviewing\n       authorized program facility (APF) libraries in a timely manner, and was not adequately\n\n                                                 3\n\x0c       controlling the number of users who had ALTER and/or UPDATE access capabilities to\n       APF libraries. Without effectively managing the contents of the APF, and controlling\n       access to APF, ETSD management could not be assured programs running in an\n       authorized state would adhere to Multiple Virtual Storage system integrity requirements\n       or Agency integrity guidelines. In addition, without effective access controls to the APF,\n       a knowledgeable user could circumvent or disable security mechanisms and/or modify\n       programs or data files on the computer without leaving an audit trail.\n\n\xe2\x80\xa2      In December, 1997, we issued three reports on Physical and Environmental Information\n       Systems Controls at EPA Regional Facilities. These reports involved Region I (Report\n       No. E1AMN7-15-7001-8300007), Region III (Report No. E1AMN7-15-7001-8300006),\n       and Region V (Report No. E1AMN7-15-7001-8300003). These audits found that\n       Regions I, III, and V did not require General Services Administration contractors, who\n       were responsible for Agency information systems, to undergo criminal and financial\n       background investigations.\n\n\xe2\x80\xa2      In September, 1997, we issued Report No. 7100284, \xe2\x80\x9cEPA\xe2\x80\x99s Internet Connectivity\n       Controls.\xe2\x80\x9d This audit found EPA had not sufficiently developed or implemented adequate\n       controls to prevent or detect improper/illegal access to its systems from the Internet. As a\n       result, EPA could not be assured its information resources were sufficiently protected\n       from unauthorized access/use, manipulation, and destruction. These weaknesses occurred\n       primarily because EPA had not developed and implemented a network security policy for\n       the Agency that included Internet access and usage.\n\nONGOING AUDIT WORK\n\nWe are currently evaluating EPA\xe2\x80\x99s IT Capital Investment Process to determine whether IT\nprojects are adequately planned, screened, and formally approved prior to being recommended for\nfunding in the budget. In addition, this audit is assessing how effectively and efficiently IT\ninvestment projects are managed.\n\nCRITERIA\n\nFederal laws, policies, and guidelines were used to form a framework of prudent, stable business\npractices and, therefore, served as a means to evaluate the effectiveness of Agency security\npolicies and practices. Appendix I contains a summary of the criteria used during our audit.\n\nSECURITY PROGRAM PERFORMANCE\n\nEPA is making progress toward implementing an Agency-wide security program and responding\nto GAO recommendations. However, our audit identified several areas where improvement is\nnecessary. These areas include: performance measures; risk assessment; management; incident\n\n\n                                                4\n\x0chandling; capital planning and investment; enterprise architecture; infrastructure protection;\ntechnical controls; and security program oversight.\n\nPerformance Measures Not Fully Developed\n\nPrior to implementation of the GISRA, the Agency had not established specific measures to\naddress security program performance. Pursuant to the OMB reporting instructions, the Agency\nrecognized the valuable role performance measures play in supporting an effective information\nsecurity program. In this spirit, management directed resources to develop performance measures\naddressing specific OMB topics. At the close of our field work, the performance measures were\nstill being developed and, therefore, not available for audit analysis. The Agency plans to finalize\nthe performance measures before reporting to OMB. As such, we will audit the measures in the\nnext GISRA reporting cycle.\n\nWe also noted that EPA\xe2\x80\x99s current Government Performance and Results Act (GPRA) goals and\nobjectives do not contain any security-related annual performance goals (APGs) or measures.\nGiven the absence of such GPRA APGs and measures, we are uncertain how management intends\nto align the newly-developed, internal security measures (i.e., the major aspects of its security\nprogram) with EPA\xe2\x80\x99s strategic goals and objectives to help managers effectively use systems and\ndata to achieve environmental results.\n\nRisk Assessment Guideline Missing Significant Elements\n\nEPA\xe2\x80\x99s draft \xe2\x80\x9cRisk Assessment Guideline\xe2\x80\x9d is a good first step toward developing a robust risk\nassessment framework; however, it is missing key elements. Our comparison of National Institute\nof Standards and Technology (NIST) Publication 800-30, \xe2\x80\x9cRisk Management Guide\xe2\x80\x9d and EPA\xe2\x80\x99s\n\xe2\x80\x9cRisk Assessment Guideline\xe2\x80\x9d revealed significant gaps between the two documents. The NIST\nguidance presents a comprehensive approach that will allow IT personnel to isolate a variety of\nrisks, determine the extent of a compromise, and identify potential mitigation options. It covers\nseveral risk assessment and risk mitigation issues that EPA\xe2\x80\x99s Guide does not discuss in sufficient\ndetail:\n\n       \xe2\x80\xa2      Risk Assessments\n              T      Control Analysis\n              T      Likelihood Determination\n              T      Impact Analysis\n              T      Level of Risk Determination\n\n       \xe2\x80\xa2      Risk Mitigation\n              T      Cost-benefit Analysis\n              T      Residual Risk\n\n\n\n                                                  5\n\x0cEPA\xe2\x80\x99s information assets may be more vulnerable to loss of availability, integrity, and\nconfidentiality if the risk assessment and mitigation elements listed above are excluded from its\npolicy, procedures, and practices.\n\nSecurity Awareness Training Tracked But Not Verified\n\nChapter 8 of EPA Manual 2100, Information Resources Management Policy Manual, authorizes\nthe information program offices and region to determine whether employees are sufficiently\ntrained in their security responsibilities. Our audit did not include assessing the effectiveness of\nthis effort.\n\nIn response to M-01-24, EPA solicited data on the types of security training, the number of\nagency employees receiving each type of training, and the total costs of such training from its 23\nregional and program offices. The results of the data collected indicate that for the February 2000\nthrough June 2001 time period, the Agency spent $780,426 to train its 17,382 (540 technical staff\nand 16,842 general staff) employees in various security-related courses (see Appendix II.) The\nAgency estimated spending an additional $40,000 for a security conference held in August. As\nshown in Appendix II, the percentages of staff trained ranged from 0.02 percent to 20.5 percent\nfor general staff and from 6.48 percent to 95.93 percent for technical staff, depending on the type\nof training delivered. For example, 3,453 general staff (20.50 %) and 518 technical staff (95.93\n%) received \xe2\x80\x9cOther Security Awareness Training\xe2\x80\x9d during the stated period. However, when it\ncame to specialized training, such as \xe2\x80\x9cSecurity Management Training,\xe2\x80\x9d only 20 general staff (0.12\n%) and 74 technical staff (13.70 %) received training.\n\nAs of the writing of this report, OEI is still collecting missing and incomplete training data; as\nsuch, the numbers shown in Appendix II may not agree with the Agency\xe2\x80\x99s final totals. In\naddition, OEI has not verified the accuracy of collected data. Without such verification, the\nreliability of these numbers is uncertain.\n\nIncident Handling Program Needs Improvement\n\nThe EPA does not have a robust, agency-wide security incident handling program. At this point,\nEPA is unable to accurately determine whether all security incidents are identified, contained,\neradicated, recovered, followed-up on, or reported to FedCIRC (Federal Computer Incidents\nResponse Capability) in a timely fashion. OEI, in response to OMB\xe2\x80\x99s reporting instructions,\nsolicited data on the number and type of incidents reported from EPA\xe2\x80\x99s 23 regional and program\noffices (see Appendix III). In light of the possible interpretations that regions and program\noffices may have made to generate data for the Agency\xe2\x80\x99s collection instrument, we are uncertain\nthat total reliability can be placed on the completeness or consistency of incident handling data, as\npresented in the Agency\xe2\x80\x99s annual agency program review responding to GISRA. These\nconcerns are compounded by the fact that OEI management only inquired about missing or\nseemingly abnormal data; they have not, nor do they plan to, verify the accuracy of data\ncollected for performance measurement purposes. As it looks to the future, OEI has undertaken\n\n                                                  6\n\x0cefforts to create a comprehensive, consistent Agency-wide incident handling program. After\nconsidering several business model options, EPA\xe2\x80\x99s senior IT management has tentatively decided\non a distributed business model solution.\n\nA distributed business model involves creating an Incident Response Coordinating Center, which\nwould be the central point of contact assisting with communicating and coordinating incident\nhandling activities across the Agency in cooperation with local business units (see Appendix IV).\nAccording to Agency documents, this approach will address computer security incidents,\nincluding unauthorized root access, unauthorized user access, malicious code, virus detection,\ndenial of service, and theft of data. Although the Agency has selected a model that appears to\naddress the relevant issues, it has neither developed an implementation schedule nor has it\ncommitted significant resources to implementing the plan. Without a comprehensive, Agency-\nwide security incident handling program, the EPA management will not be able to ensure\nincidents are handled in a thorough, consistent, and timely manner throughout regional and\nprogram offices, or gauge the Agency\xe2\x80\x99s progress in minimizing threats.\n\nCapital Planning and Investment Control Needs Improvement\n\nEPA has begun to integrate security into its Capital Planning and Investment Control process,\nalthough we have significant concerns regarding the progress to date. We reviewed 47 major IT\ncapital investment project proposals, as reported to OMB (via Exhibit 300B of the Agency\xe2\x80\x99s A-11\nbudget submission) in December 2000. EPA submitted almost half of these projects to OMB\nwithout approved security plans, although such plans are required for each general support system\naccording to OMB Circular A-11. (See Appendix I for further details regarding Federal\nrequirements.) As of December 2000, OMB had approved EPA\xe2\x80\x99s budget document, funding\nmajor IT systems despite the exclusion of approved security plans. In our opinion, EPA should\ndevelop risk-based security plans for all its major IT systems before submission to OMB.\n\nAlthough the Agency includes cost data for IT capital investment project proposals reported to\nOMB, we question the accuracy of reported costs. EPA does not have a cost accounting system\nthat would enable managers to track IT project costs; therefore, it may be difficult for EPA to\nsubstantiate the IT project costs reported via Exhibit 53 of the Agency\xe2\x80\x99s A-11 budget submission\nto OMB. We are currently evaluating the reliability of reported IT project costs in an on-going\naudit.\n\nEnterprise Architecture Does Not Define Security Architecture\n\nWe reviewed the Agency Enterprise Architecture1 plan, dated March 29, 2001, and concluded\nthat the plan did not define a security architecture. OMB had requested EPA\xe2\x80\x99s enterprise\n\n\n\n1 An Enterprise Architecture is an integrated framework that defines the baseline, transitional and target business\nprocesses, and information technology of an organization.\n\n                                                         7\n\x0carchitecture plan on November 9, 2000, although it was not submitted to OMB until April 6,\n2001. The plan identified security architecture as one of its seven main components, but stated\nthat the Agency would identify a security architecture in the future. In July 2001, EPA\nmanagement convened an Enterprise Architecture Summit where team roles and responsibilities\nwere discussed. As a result of the meeting, EPA plans to form workgroups to address specific\naspects of the architecture. We expect it will take significant resources and time to complete the\nEnterprise Architecture, including the security architecture component. At this point, management\nhas not identified, prioritized, or otherwise specified a methodology for protecting critical assets\nunder its critical enterprise architecture plan. As of July 2001, management had not approved a\nplan to complete the security architecture.\n\nNeed To Better Integrate IT Security With Infrastructure Protection\n\nOEI categorizes its critical assets as physical, emergency response, telephone, and information\ntechnology. However, at the end of our field work, OEI was unable to provide the methodology\nused to identify, prioritize, and protect critical assets, or describe how this methodology has been\nimplemented. Without a sound methodology, EPA may not be properly applying its security\nresources to information assets consistent with their level of importance to the Agency\xe2\x80\x99s mission.\n\nOur audit disclosed that major IT infrastructure projects did not have required security plans. Of\nthe 47 IT project proposals mentioned previously, 10 were major IT infrastructure projects. We\nreviewed the Exhibit 300B reports for the 2002 budget, and found that 7 of the 10 projects did\nnot have approved security plans. (We did not review the adequacy of the security plans for 3 of\nthe 10 infrastructure projects.) In our opinion, the project managers of infrastructure projects\nshould complete an approved risk-based security plan to ensure critical controls are adequate to\nprotect the major information systems, business processes, and data these infrastructures support.\n\nAgency Correcting Technical System Weaknesses\n\nIn July 2000, GAO reported numerous technical-oriented recommendations to improve security\nover EPA\xe2\x80\x99s wide area network. The Agency continues to eliminate these technical weaknesses\nand improve overall network security configuration and practices; however, management needs to\ndo more. We reviewed the implementation of 26 recommendations during our audit cycle.\nThirteen of the recommendations related to mainframe computer operations and 13 concerned\nNovell LAN security. The Agency provided adequate evidence to support corrective actions for\nall 13 mainframe recommendations, as well as three of the 13 Novell recommendations.\nHowever, EPA did not provide timely documentation to support its corrective actions for the\nremaining 10 Novell weaknesses; therefore, we could not determine whether EPA had fully\nimplemented GAO\xe2\x80\x99s technical recommendations for its Novell systems.\n\nThe Agency\xe2\x80\x99s inability to provide sufficient support and evidence of adequate corrective action\nraises questions about the extent to which these recommendations have been addressed. If EPA\n\n\n                                                 8\n\x0cdoes not completely address these recommendations, unauthorized users could gain control of\nindividual EPA computer applications and the data used by these applications.\n\nOversight Role Needed To Verify Effectiveness Of Security Program\n\nOEI is only beginning to establish some security oversight for EPA\xe2\x80\x99s complex information\nsystems network. The absence of this vital function was, we believe, a key contributing cause to\nthe security program weaknesses mentioned in this report. For several years, in conjunction with\nthe Integrity Act, the OIG has formally advised EPA to establish a centralized security program\nwith strong oversight processes that would adequately address risks and ensure valuable\ninformation resources and environmental data are secure.\n\nUnder the Integrity Act, EPA has implemented numerous corrective actions to improve its\ninformation systems security plans and program, and eliminate this material weakness from its\nIntegrity Act reporting. However, OEI management has repeatedly excluded establishing a robust\noversight role from its corrective action plan for the program. In its fiscal 2000 Integrity Act\nReport, EPA agreed to include an action item that partially addressed these responsibilities (i.e., a\ncommitment to conduct random, formal program office security plan reviews of mission-critical\nsystems). To that end, OEI used contractor services to evaluate a sampling of information system\nsecurity plans; however, OEI ultimately found the results unsatisfactory for QA purposes.\nConsequently, OEI has decided to revise its QA review approach by (1) better defining evaluation\ncriteria, and (2) ensuring that contractors follow consistent verification procedures and adequately\nevaluate the substance of relevant source documents.\n\nBy establishing a limited QA process, OEI management is taking its first step towards addressing\nits oversight responsibilities for EPA\xe2\x80\x99s security program. However, we believe much more needs\nto be done to ensure the effectiveness of EPA\xe2\x80\x99s entity-wide computer security program and\npractices. For example, OEI currently does not perform oversight to determine whether regional\nand program offices follow Agency policies for system life cycle management (EPA Directive\n2100, Chapter 17). This policy identifies the stages of the system life cycle, and requires\nmanagers to comply with Federal and Agency security requirements for planned and on-going\ninformation systems. However, OEI does not periodically validate whether regional and program\noffices actually implement the policy requirements by considering, planning for, and documenting\nsecurity requirements throughout a system\xe2\x80\x99s life cycle.\n\nAs another example, OEI is collecting data from regional and program offices through an Agency-\nwide, self-assessment tool. OEI will use this data as a baseline for its new security-related\nperformance measures; however, management has no plans to perform field work to verify the\naccuracy of collected data. OEI officials stated that they will only inquire about missing or\nseemingly abnormal responses prior to reporting to OMB; after submission, no additional checks\nwill be performed.\n\n\n\n                                                 9\n\x0cTo their credit, EPA hired a contractor to conduct subsequent rounds of penetration tests on its\nnetwork systems. The first round of tests applied the same methodology GAO used during their\nsecurity audit, and the contractor reported that only minor vulnerabilities were found. OEI plans\nto conduct another round of penetration tests over the next six months, and states that these tests\nwill be more intrusive in nature. During our audit, we evaluated the contractor\xe2\x80\x99s Draft\nPenetration Testing Program Concept of Operations (i.e., the draft penetration test plan for the\nsecond set of tests), dated June 22, 2001. The draft plan mainly defined penetration terms, but\ndid not include key elements, such as: tools to be used; specific system targets; penetration limits;\nand expected, acceptable outcomes.\n\nEPA is a very decentralized agency - a fact that increases the importance of using a coordinated,\ncomprehensive monitoring program. Without regular, effective oversight processes, EPA\nmanagement will continue to place unsubstantiated trust in its many components to fully\nimplement, practice, and document security requirements. Moreover, the public and Congress\nmay continue to question how well the Agency plans for and protects its information resources to\nensure the integrity, confidentiality, and availability of environmental data.\n\nRecommendations\n\nWe recommend EPA\xe2\x80\x99s Chief Information Officer implement the following actions.\n\nFor performance measures:\n1.     Review the newly-developed performance measures to ensure they adequately cover\n       major aspects of the security program. Also, incorporate major performance measures\n       into annual performance goals, and align them with the Agency\xe2\x80\x99s strategic goals and\n       objectives.\n\n2.     Establish a system to effectively monitor progress on the established performance\n       measures.\n\nFor risk assessments:\n3.     Revise the Risk Assessment Guideline to include the risk assessment and mitigation items\n       contained in NIST Publication 800-30, as described in this report.\n\nFor incident handling:\n4.     Formally approve and proceed with implementing the Distributed Business Model.\n5.     Develop a detailed plan and schedule for agency-wide implementation of the Distributed\n       Business Model.\n\n6.     Develop and implement a process to monitor the agency-wide implementation of the\n       Distributed Business Model.\n\n\n\n                                                 10\n\x0cFor IT Capital Planning and Investment Control:\n7.     Develop risk-based security plans for all major IT systems before submission to OMB.\n\nFor Enterprise Architecture:\n8.     Develop and approve a formal plan to develop a security architecture, and include it in the\n       enterprise architecture.\n\nFor Information Technology Security Infrastructure:\n9.     Complete an approved risk-based security plan to ensure critical general controls are\n       adequate to protect the major information systems these infrastructures support.\n\nFor GAO technical recommendations:\n10.   Implement all GAO Novell LAN recommendations, thoroughly documenting how each\n      technical weakness was corrected.\n\nFor Computer Security Oversight Role:\n11.   Establish a comprehensive and robust security oversight role, with sufficient resources, to\n      verify Agency practices conform to relevant performance measures and Agency policies.\n\n12.    Develop and implement an agency-wide strategy for overseeing major aspects of EPA\xe2\x80\x99s\n       computer security program.\n\n13.    Routinely assess, test, and provide feedback to regional and program offices regarding the\n       effective implementation of Agency policies.\n\n14.    Validate whether regional and program offices consider, plan for, and document security\n       requirements throughout a system\xe2\x80\x99s life cycle.\n\n15.    Identify tools to be used; specific system targets; penetration limits; and expected,\n       acceptable outcomes in all future penetration testing plans.\n\n\n\n\n                                                11\n\x0c                                                                                    APPENDIX I\n\n                                Criteria and Guidance\nGovernment Information Security Reform Act (GISRA)\nGISRA addresses the program management and evaluation aspects of information security. The\nAct requires that Inspectors General provide an independent evaluation of the information\nsecurity program and practices of the Agency. The independent evaluation must include testing\nthe effectiveness of information security control techniques for an appropriate subset of the\nAgency\xe2\x80\x99s information systems, and an assessment of the results of that testing.\n\nReporting Instructions for the Government Information Security Reform Act\nOMB Memorandum, M-01-24, dated June 22, 2001, requests IGs to respond to 12 topics when\nreporting an agency\xe2\x80\x99s actual performance in implementing the Security Act.\n\nOMB Circular No. A-11 (Appendix 300B) - Planning, Budgeting, and Acquisition of\nCapital Assets\nThe policy requires agencies to demonstrate that security plans for major IT projects:\n\n       \xe2\x80\xa2       include security controls for components, applications and systems that are\n               consistent with the Agency\xe2\x80\x99s IT architecture;\n       \xe2\x80\xa2       are well-planned;\n       \xe2\x80\xa2       manage risks;\n       \xe2\x80\xa2       protect privacy and confidentiality; and\n       \xe2\x80\xa2       explain any planned or actual variance from NIST security guidance.\n\nOMB Circular No. A-130 (Appendix III) - Security of Federal Automated Information\nResources\nThis appendix establishes a minimum set of controls to be included in Federal automated\ninformation security programs; assigns Federal agency responsibilities for the security of\nautomated information; and links agency automated information security programs and\nmanagement control systems established in accordance with OMB Circular No. A-123.\n\nNIST Special Publication 800-14 - Generally Accepted Principles and Practices for\nSecuring Information Technology Systems\nThis document provides a baseline that organizations can use to establish and review their IT\nsecurity programs.\n\n\n\n\n                                               12\n\x0c                                                                                      APPENDIX I\n\n\nNIST Special Publication 800-18 - Guide for Developing Security Plans for Technology\nSystems\nThis publication provides a guideline for Federal agencies to follow when developing security\nplans to document the management, operational, and technical controls for Federal automated\ninformation systems.\n\nNIST Special Publication 800-30 - Draft Risk Management Guide\nThis document provides both definitional and practical guidance regarding the concept and\npractice of managing IT-related risk. The publication defines risk as the net impact of an adverse\nIT-related event.\n\nEPA Manual 2100, Chapter 8\nThis policy authorizes the various program offices and regions to determine whether employees\nare sufficiently trained in their security responsibilities.\n\nEPA Manual 2100, Chapter 17\nThis policy establishes the life cycle requirements of EPA\xe2\x80\x99s automated information systems. It\nidentifies the stages of the systems life cycle and requires that information systems comply with\nFederal and Agency policies. It applies to all automated information application systems EPA\ndevelops, produces, or maintains.\n\n\n\n\n                                                13\n\x0c                                                                                                    APPENDIX II\n\n                              Security Training-Related Data\n                   Reported For February 1, 2000 Through June 15, 2001\n\n    Total Number of Employees                                                                         17,382\n\n    Total Number of General Staff                                                                     16,842\n\n    Total Number of Technical Staff                                                                      540\n\n                                           General        Percent      Technica       Percent          Cost\n                                            Staff         Trained       l Staff       Trained\n\n    2000 Information Security                    0          0.0%            68         12.59%        $40,000\n    Officer (ISO) Forum\n\n    System Security & Exploitation               0          0.0%            35          6.48%        $50,000\n    Training (SYTEX)\n\n    New Employee Orientation                  930           5.52%           92         17.04%              $0\n    Training\n\n    Senior Executive and                        86          0.51%            0           0.0%       $146,399\n    Management Training\n\n    Agency-wide Security                      not                            0           0.0%       $100,000\n    Awareness Training                      reported\n\n    Other Security Awareness                3,453           20.50%         518         95.93%        $10,515\n    Training\n\n    Security Management Training                20          0.12%           74         13.70%        $84,985\n\n    Systems Management Training                  4          0.02%           92         17.04%        $71,461\n\n    Database Management Training                 7          0.04%           62         11.48%       $108,629\n\n    Technical Certification                      3          0.02%           60         11.11%       $168,437\n    Training\n\n           Total Dollars Spent                                                                     *$780,426\n\n\n*This figure does not include $40,000 which the Agency planned to spend on a security conference held in August 2001.\n\n\n\n\n                                                       14\n\x0c                                                                                               APPENDIX III\n\n                           Information Security Incidents\n                    Reported For February 1, 2000 Through June 15, 2001\n\n                           NUMBER OF INCIDENTS                         STATUS\n                                           Number Reported                                        Documented\n                         Total Number of     to Technical      Number of         Number of       Procedures for\n Region/Program Office   Security Incidents Support Center   Incidents Open   Incidents Closed Handling Incidents?\nRegion 1                       10                7                 0                  8               No\nRegion 2                       69                0                 0                69                Yes\nRegion 3                      152                0                 0               152                Yes\nRegion 4                        5                0                 0                  5               Yes\nRegion 5                        2                2                 2                  2               No\nRegion 6                       87                0                 0                  0               Yes\nRegion 7                    3,000                0                 0                  0          Not Reported\nRegion 8                      216                2                 0               216                Yes\nRegion 9                  Not Reported     Not Reported      Not Reported     Not Reported       Not Reported\nRegion 10                      14                7                 0                14                Yes\nOA                            202                0                 1               201              Yes/No\nOAR                           129                5                 0                23                No\nOARM                           82              12                  1                81                Yes\nOCFO                           12              12                  0                12                Yes\nOECA                           11                0                 0                11                Yes\nOEI                           121             117                 21                99                Yes\nOGC                            13                0                 0                13                Yes\nOIA                             0                0           Not Reported     Not Reported            No\nOIG                             1                1                 0                  1          Not Reported\nOPPTS                           3                0                 0                  3               Yes\nORD                           141                9                 3               138                Yes\nOSWER                           7                5                 0                  5          Not Reported\nOW                              8                0                 0                  6               Yes\n           Total            4,278             179                 28             1,059\n\n\n                                                     15\n\x0c                                                                                                             APPENDIX IV\n\n                               Distributed Business Model for\n                           Incident Response Coordinating Center\nThe Distributed Business Model involves creating an Incident Response Coordinating Center\n(IRCC), which would be the central point of contact assisting with communicating and\ncoordinating incident handling activities across the Agency in cooperation with local business\nunits. A central expert team available upon request would further support the central IRCC in\nresponding to local business units or in responding to complex and/or catastrophic incidents. The\nexpert team would comprise virtual team members. A virtual team means the team members are\npositively identified and available when needed. Virtual team members would not have incident\nhandling as a full-time job, but it would be their priority duty during an incident. The virtual team\nmembers would be selected based upon skill sets necessary to address Agency platforms and\noperating systems. This distribution of virtual team membership would add to the expert teams\xe2\x80\x99\nunderstanding of Agency business and infrastructure. Local business units at each campus (e.g.,\nheadquarters, labs, regions, programs) would have a local incident response team providing the\ntechnical, management, and communication response for localized incidents. Local business units\nwould provide reports to the central IRCC.\n\n\n\n\n                                                     Incident Response\n                                                     Coordination Center\n\n\n\n\n                                                     Virtual Expert Team\n\n\n\n\n                 NCC          Headquarters                  Programs             Regions               ORD and Labs\n\n\n\n\n     1                        1                         1                        1                       1\n\n\n         2   3    4    5          2   3      4   5             2     3   4   5       2     3   4   5          2   3   4   5\n\n                       6                         6                           6                     6                      6\n\n\n\n\n                                                                16\n\x0c                                                                              APPENDIX V\n\n                                 Report Distribution\nRecipients\n\n       Director, OMB\n       Administrator, Environmental Protection Agency (1101A)\n\nOffice of Inspector General\n\n       Inspector General (2410)\n       Assistant Inspector General for Audit (2421)\n       Media and Congressional Liaison (2410)\n       Agency Business Systems Lead (2421)\n       Counsel (2411)\n       Editor (3AI00)\n\nHeadquarters Office\n\n       Chief Information Officer (2801A)\n       Assistant Administrator, Office of Environmental Information (2801A)\n       Director, Office of Technology Operations and Planning (2831)\n       Director, National Technology Services Division (MD-34)\n       Director, Technical Information Security Staff (2831)\n       Chief, Formulation and Control Policy Branch, Annual Planning\n        and Budget Division (2732A)\n       Agency Follow-up Official (2710A)\n       Agency Audit Follow-up Coordinator (2724A)\n       Audit Liaison, Office of Environmental Information (2812A)\n       Alternate Audit Liaison, Office of Environmental Information (2812A)\n\n\n\n\n                                              17\n\x0c'